Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
Sigma rule (View on GitHub)
1title: Webshell Detection With Command Line Keywords
2id: bed2a484-9348-4143-8a8a-b801c979301c
3status: test
4description: Detects certain command line parameters often used during reconnaissance activity via web shells
5references:
6 - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
7 - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
8 - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
9author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
10date: 2017-01-01
11modified: 2024-12-14
12tags:
13 - attack.persistence
14 - attack.discovery
15 - attack.t1505.003
16 - attack.t1018
17 - attack.t1033
18 - attack.t1087
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_webserver_image:
24 ParentImage|endswith:
25 - '\w3wp.exe'
26 - '\php-cgi.exe'
27 - '\nginx.exe'
28 - '\httpd.exe'
29 - '\caddy.exe'
30 - '\ws_tomcatservice.exe'
31 selection_webserver_characteristics_tomcat1:
32 ParentImage|endswith:
33 - '\java.exe'
34 - '\javaw.exe'
35 ParentImage|contains:
36 - '-tomcat-'
37 - '\tomcat'
38 selection_webserver_characteristics_tomcat2:
39 ParentImage|endswith:
40 - '\java.exe'
41 - '\javaw.exe'
42 CommandLine|contains:
43 - 'catalina.jar'
44 - 'CATALINA_HOME'
45 selection_susp_net_utility:
46 OriginalFileName:
47 - 'net.exe'
48 - 'net1.exe'
49 CommandLine|contains:
50 - ' user '
51 - ' use '
52 - ' group '
53 selection_susp_ping_utility:
54 OriginalFileName: 'ping.exe'
55 CommandLine|contains: ' -n '
56 selection_susp_change_dir:
57 CommandLine|contains:
58 - '&cd&echo' # china chopper web shell
59 - 'cd /d ' # https://www.computerhope.com/cdhlp.htm
60 selection_susp_wmic_utility:
61 OriginalFileName: 'wmic.exe'
62 CommandLine|contains: ' /node:'
63 selection_susp_powershell_cli:
64 Image|endswith:
65 - '\cmd.exe'
66 - '\powershell.exe'
67 - '\pwsh.exe'
68 CommandLine|contains:
69 - ' -enc '
70 - ' -EncodedCommand '
71 - ' -w hidden '
72 - ' -windowstyle hidden'
73 - '.WebClient).Download'
74 selection_susp_misc_discovery_binaries:
75 - Image|endswith:
76 - '\dsquery.exe'
77 - '\find.exe'
78 - '\findstr.exe'
79 - '\ipconfig.exe'
80 - '\netstat.exe'
81 - '\nslookup.exe'
82 - '\pathping.exe'
83 - '\quser.exe'
84 - '\schtasks.exe'
85 - '\systeminfo.exe'
86 - '\tasklist.exe'
87 - '\tracert.exe'
88 - '\ver.exe'
89 - '\wevtutil.exe'
90 - '\whoami.exe'
91 - OriginalFileName:
92 - 'dsquery.exe'
93 - 'find.exe'
94 - 'findstr.exe'
95 - 'ipconfig.exe'
96 - 'netstat.exe'
97 - 'nslookup.exe'
98 - 'pathping.exe'
99 - 'quser.exe'
100 - 'schtasks.exe'
101 - 'sysinfo.exe'
102 - 'tasklist.exe'
103 - 'tracert.exe'
104 - 'ver.exe'
105 - 'VSSADMIN.EXE'
106 - 'wevtutil.exe'
107 - 'whoami.exe'
108 selection_susp_misc_discovery_commands:
109 CommandLine|contains:
110 - ' Test-NetConnection '
111 - 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
112 condition: 1 of selection_webserver_* and 1 of selection_susp_*
113falsepositives:
114 - Unknown
115level: high
References
Related rules
- Chopper Webshell Process Pattern
- Webshell Hacking Activity Patterns
- Cisco Discovery
- HackTool - winPEAS Execution
- Whoami.EXE Execution Anomaly